UK retailing giants Marks & Spencer, Co-op, and Harrods are struggling with suspected ransomware attacks that have limited business and caused severe losses.
Photo credit: Aleksandr Rebenkov on Unsplash
The past couple weeks have been difficult for three major retail companies in the UK. Marks & Spencer were the first to suffer a suspected ransomware attack on April 22, 2025, followed by the Co-op Group on April 30, and then Harrods on May 1. The cyberattacks have been very consequential - Marks & Spencer (M&S) was forced to stop taking clothing and home orders online three days into the attack, along with any online job ads. Personal information (names, contact details, and even dates of birth) of present and previous members of the Co-op were stolen, and the company was also forced to shut off parts of their IT systems, limiting payment methods. Harrods has been less affected, but still had to limit internet access as a result of the attacks.
These disruptions pose more than inconveniences to customers - the attacked businesses have weathered critical losses because of the cyberattacks. Senior Risk Intelligence Manager at Signifyd, Xavier Sheikrojan, commented on the potential impact: “The recent wave of cyberattacks on major UK retailers, including Marks & Spencer, Co-op and Harrods, is a stark warning to the ecommerce industry. Reports suggest M&S is losing as much as GBP £1 million per day in sales, which is a reminder that the cost of disruption goes well beyond immediate financial loss. It can take months or even years to rebuild customer trust and operational stability." Reuters reports that M&S has also lost nearly 700 million pounds ($930 million) in stock market value.
While these three attacks were first believed to be unconnected, one group of anonymous hackers, DragonForce, has claimed responsibility for the hacks. DragonForce contacted the BBC to undermine the Co-op’s earlier message that there was “no evidence that customer data was compromised”, instead saying that they had the private information of the 20 million people who had Co-op memberships. The cybercriminals shared a data sample with private information from 10,000 customers, hoping the evidence would encourage the company to pay a ransom (the amount is not publicly known).
The group used social engineering to trick IT workers at M&S and Co-op into resetting their passwords, which also gave them access to the internal Teams chats that were shown to the BBC. Interestingly, DragonForce is believed to be connected to Scattered Spider, a ransomware group that was behind the famous MGM and Caesars hacks. DragonForce has taken over the ransomware-as-a-service tool (RansomHub) that Scattered Spider used, remodeled to be “RansomBay”, as part of their work to build a ‘ransomware cartel’.
Ransomware has been a growing problem in the UK for a while. According to The Record, 2023 was “a record year for the charitable and voluntary sector, the education and childcare sector, the financial sector, the legal sector, the online tech and telecoms sector, the retail sector, and for organizations in social care.” Ecommerce and retailers may be appealing targets to threat actors because of the wealth of payment and identity information they hold.
This wave of powerful attacks corresponds to a larger uptick in ransomware globally, as hackers become ‘more brutal’. The development of artificial intelligence (AI) has also worsened the severity of modern cyberattacks. Pat McFadden (UK cabinet office minister), spoke at the National Cyber Security Centre’s (NCSC’s) CyberUK 2025 conference and shared that the NCSC received about 2,000 cyberattack reports in 2024, with nearly 90 being significant and 12 being the highest level of severity - amounting to three times the severe attacks in 2023. On May 7, 2025, the NCSC released a report assessing and predicting the impact of AI on cyber attacks, arguing that “insufficient cyber security will almost certainly increase opportunity for capable state-linked actors and cyber criminals to misuse AI to support offensive activities.” Concerns about AI underlining social engineering may have been realized in these hacks.
In response to the cyberattacks on retailers, the NCSC shared advice in a blog post so “all companies and organisations can minimise the chances of falling victim to actors like this.” They encourage organizations to use multi-factor authentication (MFA), build up monitoring against unauthorised account use, check access to Domain, Enterprise, and Cloud Admin, review password reset processes, confirm that logins from atypical sources can be identified by security centers, and ensure that they are up to date on threat intelligence techniques and how to best respond.
Outside of the blog post, Dr. Richard Horne, the CEO of the NCSC shared more counsel. “Our advice is organisations shouldn’t pay ransoms. If [companies] pay because they hope the ransom attackers won’t publish information, well, they need to know that all they’ve got is a criminal’s word for it. And if they pay to recover their systems, well, they should have recovery plans in place so they can recover their systems anyway.”
This position hints at the favored options shared in the UK ransomware proposal, which was published in January 2025. Horne did not mention a ban on ransomware payments (which was the first option in the proposal), but instead instructed people to fortify their cybersecurity posture: “All organisations need to see this as a wake-up call — to understand what their exposure is to cyber attacks, to ensure they’ve got the right defences in place, and to make sure they’ve got a plan to be able to continue operations and recover should they be hit by a cyber attack”.